Ibukun Adebayo had been working at charity Turning Point for nine years when what should have been an innocent task caused the IT director's career to come crashing down at the social enterprise supporting those affected by drug and alcohol misuse, learning disabilities and mental health problems.
In March 2013 a Turning Point employee made a subject access request under the Data Protection Act to locate messages on the charity's email system. As IT director and head of information security, Adebayo was asked to carry out the request. To avoid revealing private emails from other employees who shared the first name of the person who had made the request, she used her own name to test the search tool.
"In the preview pane, the first email I saw was a sexual email about me and I thought, oh my God," says Adebayo. "Then I scrolled down and I read five emails and I thought, oh my goodness."
The emails she discovered included messages from deputy chief executive David Hoare referring to sex acts, mocking her religious beliefs, and descriptions of Adebayo as "looney tunes" and someone who "employs nutters".
Adebayo was accused of improperly accessing the system. She was dismissed from her post in August 2013 under the charge of committing gross misconduct.
Adebayo took her case to an employment tribunal, where the finding of gross misconduct was upheld but she was found to have been unfairly dismissed.
Lord Victor Adebowale, the Turning Point chief executive, had been the recipient of a number of the emails in question from Hoare. He took the decision to suspend and then dismiss Adebayo for the alleged breach of IT security policy but did not apply the same penalty to his deputy chief executive, who was also the charity's equality and human rights chief. The tribunal ruled Hoare was guilty of gross misconduct by sending offensive emails that were also breaches of the policy.
An appeal by the charity against the ruling was withdrawn in January, finally bringing Adebayo's legal ordeal to an end. The professional and personal damage is proving harder to repair.
Adebayo was managing more than 20 IT workers and a £1.3 million-a-year budget at the charity that once counted Princess Diana as its patron when she discovered the emails in the company's London office. She insists that she would not have taken it to an employment tribunal if the company had not tried to force her out or escorted from of head office suggesting she had acted fraudulently. "No job is for life," she said.
Turning Point offered Adebayo six months' salary as a pay-off. Knowing the fallout would damage her prospects of finding another job, she said no. The charity, says Adebayo, argued that as the issue was over content concerning herself that she should have made a formal request to access the emails to the head of HR. She was reluctant to do this as the head of HR was her line manager's wife.
In line with the Turning Point HR policy of first attempting to resolve issues informally, Adebayo attempted to arrange a meeting with her boss through mediators. The offer was rejected. Her bosses said they were too embarrassed to continue working with her and that she should just take the money and leave.
"I said no, you don't need to be embarrassed," she says. "I'm a toughened IT professional and worse has been said in my department and indeed in the IT world, so there's no need to be embarrassed. I offered to work from another office, but they said they could not work with me any longer and when I repeatedly refused the money, they then said, 'Okay, we'll walk you out'. They escorted me out of head office."
At the tribunal, the charity had spent close to £1 million on a formidable barrister, who helped them escape many charges and gain confirmation that Adebayo had committed gross misconduct. He couldn't prevent the tribunal ruling that Adebayo shouldn't have been dismissed and religious and race discrimination, harassment and victimisation claims succeeded.
Even then Adebayo says she only wanted to return to her job, and again offered to work from a remote location until any remaining issues were overcome. But for her bosses, it was too late for reconciliation.
Adebayo was alleged to have breached her own policies. Her role also encompassed a separate job description for her position of head of information security officer, which made her responsible for preventing, detecting and investigating information security breaches. At the tribunal, the respondent argued that she wasn't responsible for investigating breaches that concerned her.
"Maybe I should have clarified exactly what that responsibility meant, because as CISOs everyone can make up these policies and all these procedures and everything," she admits. "However, we don't often take a look at the internal risks or what happens if the breach concerns oneself."
She emphasises the importance of clearly defining the role of CIO and CISO at every organisation, a discovery that marked the start of Adebayo's woes at Turning Point.
"In 2008, HR, my boss, my line manager and the CEO, they decided to go out there and invite a company to implement an HR system that costs £1.6 million," she says. "My team insisted that we could develop that system for £200k if they brought in a few more developers."
Instead of tendering the contract, Turning Point called on a company called Activ8 intelligence to deliver the system. Adebayo said that she later learned one of the consultants brought in from Activ8 to work on the HR systems implementation programme was the wife of her line manager.
Adebayo said that the programme failed and was decommissioned in 2011, and Turning Point was left to write off the costs. The vendor was let go, but the the wife of Adebayo's line manager was retained as a permanent head of HR and subsequently became HR Director, and the person from whom Adebayo should have requested to access the emails that led to her dismissals, Adebayo says. Another of the Activ8 consultants left for a few months following the termination of the contract but subsequently returned to Turning Point in a senior role.
Adebayo had protested strongly against the decision to implement the programme, as anything to do with systems should have been her responsibility.
"A CIO should be responsible for systems and data; so define your responsibility as a CIO and then just get on with it," she says. "CIOs and CISOs should make sure that their policies are stated clearly and that they take into account all risks, including internal risks. What do you do when it's your internal officers or your internal staff that are breaching your policies?"
The security issues Adebayo uncovered in 2013 are even more relevant today, as she's learned through her studies on operational risk. Ransomware has become a major threat to IT security.
"The point I was raising to them when I found the emails was that it's OK for me to have found these emails as your CISO," she says. "However, what would have happened if a hacker had got hold of these emails?
"When a cybercriminal actually hack into your systems, what they do is that they take a copy of the data and then they lock you out. When you regain access to that data, that doesn't mean that they haven't retained a copy of your data, and if you've got inappropriate material in there, you're exposing the organisation to blackmail, even if you don't have your credit card information in the data they have retained."
Threats can come from anywhere, whether external hackers or internal executives, and clarity is required over what exactly the CIO is responsible for protecting.
Clearing her name
Adebayo said that her reputation as an IT professional was more important to her than the role she was forced to leave.
"I will not fight for a job, but I will fight for my name, for my reputation. That's more important to me than any job, and I'd rather be debarred from getting another job because I've dared to challenge any attempts to defame my reputation than because anyone thinks that I've committed any fraud or any hacking of some sort.
"I've applied for over 4,000 jobs since my dismissal and had two interviews in 2014, and that's it. A lot of feedback I'm getting is that I'm overqualified - which is the feedback I was getting while I was at Turning Point, that I'm overqualified, that I shouldn't do an MBA in addition to the qualification I held then. But at tribunal, they came and said, 'She's not qualified to do her job'," Adebayo said, despite her positive annual reviews and the 96.4% positive feedback her IT department received from the company's 3,000 staff months before her dismissal.
"This is why I really went to do the MBA which I completed in November 2016."
Adebayo has stayed busy expanding her CV and knowledge, adding financial compliance qualifications to enhance her understanding of budgets and her credentials for a career in investment operations.
She also completed her cybersecurity certification last year, adding to the CISSP (Certified Information Systems Security Professional) she attained in 2010 to encompass contemporary threats such as financial fraud and identity theft. As organisations are consolidating and trying to trim costs, she thinks modern CIOs need more than one single skill set.
"I registered and enrolled for an MBA in finance and international business because many CIOs tend to report to the CFO or the person responsible for finance," she says.
"For me, it's crucial that CIOs actually start to look along the lines of expanding our skill set, not only in terms of cyber, but in terms of finance as well. The case for understanding finance has always been there because if you're responsible for a capital or operational IT budget, you need to actually understand exactly what you're responsible for.
"We just have to expand to understand the risks that we face with regards to our data. To understand the financial, criminal risk that we face. To also understand the security risk we face, both internally and externally."
Adebayo received a payout following a remedy hearing judgement in December 2015, but Turning Point then made an appeal. Adebayo represented herself in the first trial but hired a barrister for the appeal hearing, which she believes was what led them to withdraw it just before the hearing scheduled for February 2017.
"They recently offered a repudiation reference but as far as I'm concerned, I've been out of paid work for three-and-a-half years now because false allegations were made against me," she says. "So a reference isn't going to get me anywhere. I'm not getting the interviews."
Adebayo says she fostered a close-knit team built on relationships and mentoring to ensure staff not only gave the best for the organisation, but also to themselves. She would forgive her executives and return to work, despite most of her closest allies having since moved on.
"Great guys I've worked with, brilliant, brilliant guys," she remembers with a smile. "Brilliant people and my department was about 40% female. Just a great atmosphere and that's another reason why I didn't want to leave, because we were like a big family. A decent family with everyone with the same values, different religions, about 12 different nationalities in a team of about 23.
"As soon as they got rid of me, they then let go of everyone who had been loyal to me but thankfully people have got other jobs and they've stayed in touch.
"I started Turning Point's first apprenticeship scheme and one of my concerns when I was dismissed was about that those young people - I just thought, what impression do you want them to have of us as an organisation?"
What still distresses Adebayo the most is the claim made by Lord Adebowale of her "hacking into staff emails" which he recently offered to repudiate. She insists that she had only used her own name to test the search tool because there were nine other members of staff staff in the charity with the same first name as the employee she had been asked to search for and she didn't want to expose their private emails.
"My core skill is integrity," she says. "I think that's the core message, that above all the technical and professional qualifications that I've got, that my core skill and attitude to work and life is integrity. Certifications or religion aren't what makes a person, it's character."